Sunshine Clickjacking Vulnerability in Web UI
Vulnerability
A Clickjacking vulnerability has been identified in the Sunshine web application, which is a self-hosted game stream host for Moonlight. This issue is present in versions through 2025.122.141614. The vulnerability arises because the web UI lacks proper protections against being embedded in iframes, allowing attackers to create malicious pages that interact with the Sunshine interface without the user's consent. Exploitation of this vulnerability could be used to manipulate features on the Troubleshooting page, such as unpairing all clients from the Sunshine instance, disrupting service and remote access capabilities.
Impact
Exploitation of this vulnerability allows authenticated users to unintentionally perform actions within the Sunshine application, such as unpairing clients, changing configuration settings, or restarting the Sunshine instance. This could lead to service disruptions and loss of remote access capabilities, requiring affected users to reconfigure their clients.
Remediation
Users can update to Sunshine version 2025.628.4510 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.